CLOUD Act Introduced for Consideration in Congress

Last week media outlets reported that the Clarifying Lawful Overseas Use of Data (CLOUD) Act was introduced Feb. 6 by Sens. Orrin Hatch (R-Utah), Chris Coons (R-Del.), Lindsay Graham (R-S.C.) and Sheldon Whitehouse (D-R.I.). A House companion bill was offered the same day by Rep. Doug Collins (R-Ga.).

The legislation is designed to speak to legal uncertainty generated by the landmark case Microsoft Corp. v. United States. The case centers on whether the provisions of the 1986 Electronic Communications Privacy Act that allow the government to compel disclosure of wire and electronic communications are subject to geographical and territorial limitations. As FCW has reported, in 2013, Microsoft resisted a U.S. warrant for emails stored in company servers in Ireland, arguing the data existed outside the jurisdiction of U.S. law. The case is scheduled to be ruled on by the U.S. Supreme Court in the current term.

According to the press release describing the legislation, the (CLOUD) Act of 2018 would work towards achieving four key goals:

Bilateral Agreements: The CLOUD Act enables the United States to enter into formal agreements with other nations to set clear standards for cross-border investigative requests for digital evidence. The CLOUD Act further identifies a series of statutory requirements that these agreements must satisfy, including privacy and security protections.

Extraterritoriality of U.S. Warrants and International Comity: The CLOUD Act amends U.S. law to make clear that U.S. warrants and other legal process issued for data held by communications providers reach data stored anywhere in the world. The reach of U.S. warrants and legal process, however, would be limited by international comity. The CLOUD Act would give providers, for the first time, a statutory right to challenge legal process based on international comity concerns.

Transparency: When a communications provider receives a request from U.S. law enforcement related to a national or resident of a country that has entered into a bilateral agreement with the United States, the provider will be permitted to notify that government of the existence of the request. This will allow the foreign government to assess compliance with the terms of the bilateral agreement and enable it to intervene diplomatically if it believes the request is inappropriate.

Reciprocity: The CLOUD Act would also require participating countries to remove legal restrictions that prevent compliance with data requests from U.S. law enforcement. To qualify for the statutory benefits of the legislation (removal of the U.S. blocking statute, a right for providers to object based on international comity and a right for providers to notify the government of the existence of requests), a foreign government must provide reciprocal rights and benefits to U.S. law enforcement and communications providers.

As I read it, the legislation appears to largely empower the deployment of Memoranda of Understanding common among and between financial regulatory agencies. Still, some critics have argued the bill’s provisions “impose weaker review standards below that of traditional warrant requirements under the Fourth Amendment, grant real-time access and data interception to foreign nations without having to meet the same evidentiary standards as U.S. law enforcement and a failure to provide any notice to a target that their data is being requested by a foreign government.” Others counter that the bill contains measures requiring the government to take into account a prospective partner country’s record on “human rights, privacy and rule of law before entering into any data sharing agreements.”